Wednesday, February 27, 2019
In a recent episode of Unit 42’s podcast, Don’t Panic (S3E3, "Threat Actor Names"), Rick Howard, Palo Alto Networks CSO, and Ryan Olson, Palo Alto Networks senior director of threat intelligence, hash out threat actor naming.
Olson and Howard kick off the discussion with an example from Dragos. The ICS security company had established new names for threat actor groups – some of which hadn’t been tracked, and others that had been, with research already published. The “kerfuffle” that followed (mostly on Twitter, as Olson notes) involved questioning why new names were necessary. This meant professionals would need to track one more name, which could potentially lead to unnecessary confusion.
While Olson and Howard admit this “kerfuffle” is not something to panic about, it’s definitely an area ripe for discussion, and one that could use a little more attention.
Naming threat actors serves a useful purpose. As Olson and Howard discuss, threat actor names are a helpful shorthand that make it easy to recall attacks without getting bogged down in technical details. However, confusion arises when organizations introduce new names for attacks that were previously named, or when names are duplicated.
In addition, it’s important to remember that some organizations essentially brand their threat names. These organizations choose names with their specific viewpoint in mind. Re-using that name could cause legal or trademark issues down the road.
According to Howard and Olson, Unit 42 follows this simple rule: If a threat actor already has a good name that’s known and used in the community, Unit 42 uses that name, too.
Although it’s not realistic for the cybersecurity community to unanimously agree on each and every threat name, it’s important to keep these tips in mind.
We want to hear from you! Listen Don’t Panic season 3, episode 3, “Threat Actor Names,” then answer our short survey questions below.
More to Explore
Check out these Fuel blog posts for further reading: